ClawHub

Elevate Your Profile At Work

Security checks across malware telemetry and agentic risk

Overview

This career guidance skill appears purpose-aligned, but users should treat the submitted career and compensation details as personal data sent to an external API.

Use this skill only with career information you are comfortable sending to ToolWeb/API provider infrastructure. Prefer pseudonymous session IDs, omit userId when not needed, and avoid sharing highly sensitive workplace details or exact compensation information unless you have reviewed the provider's privacy, retention, and deletion practices.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (3)

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The skill is designed to collect and process sensitive career-assessment data, including employment background, goals, preferences, and potentially identifiable metadata, but it provides no privacy notice, retention statement, or handling limitations. This creates a real privacy and compliance risk because users may disclose personal or employment-sensitive information without informed consent about remote processing.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The API docs explicitly encourage sending session IDs, user IDs, timestamps, and detailed assessment content, yet they do not warn that this information is transmitted to an external service. That omission is dangerous because integrators may unknowingly forward sensitive employee or user data to a third party, creating privacy, confidentiality, and regulatory exposure.

Vague Triggers

Low
Confidence
85% confidence
Finding
The POST /api/career/guidance operation is described only as 'Generate personalized career guidance,' which does not clearly constrain when the skill should be invoked or what types of inputs are appropriate. In agent-integrated environments, vague operation descriptions can cause overbroad or unintended invocation, increasing the chance that sensitive user data is sent to the tool unnecessarily or that the tool is used outside its intended scope.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal